-
Notifications
You must be signed in to change notification settings - Fork 0
Get users' public keys stored in an LDAP directory for public key authentication with sshd (or other programs)
License
paul-mcm/getpk-tools
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
CONTENTS ========== I. INTRO II. IMPLEMENTATION DETAILS III. REQUIREMENTS IV. INSTALLATION & CONFIGURATION V. SSHD CONFIGURATION VI. LDAP CONFIGURATION VII. THE sshPublicKey OBJECT CLASS VIII. OS SPECIFIC NOTES I. INTRO --------- Using the AuthorizedKeysCommand configuration keyword, sshd can be configured to requests users' public keys from external programs run on the local host for public-key authentication (see sshd_config(5)). The getpk tools, getpk(8) and getpkd(8), are a pair of small client/server utilities that run on the local host to serve requests from sshd(8) (or other programs) for public keys stored in an LDAP directory entry. The primary design requirement was to maintain state information on the LDAP servers' availability, obviating any dependencies on layer-3 proxies (e.g. VIPs) between clients running sshd(8) and clusters of redundant of LDAP servers. Similarly to other common authentication management tools (nslcd, saslauthd, sssd) the getpkd(8) daemon can be configured with a list of LDAP servers, and it provides failover and failback functionality as their availability status changes. The getpk tools have been tested successfully on OpenBSD 6.0 and 6.1, FreeBSD 11.0, Debian Linux 8.7, and Centos 7.3. See section VIII 'OS SPECIFIC NOTES' for OS specific idiosyncrasies. II. IMPLEMENTATION DETAILS ---------------------------- getpkd(8) is a server daemon that listens on the local, unix domain socket at /tmp/getpkd/getpkd.sock. A client request consists of a single username. A server reply consists of one or more lines of 'authorized keys' output retrieved from the LDAP directory entry for the given username. For public key authentication using sshd(8), public keys in the LDAP entry must be stored in the authorized_keys format as described in the section AUTHORIZED_KEYS in the sshd(8) manpage. The client program, getpk(8), is a simple command-line tool that can be used by programs that can't communicate directly with the getpkd(8) daemon. It takes a username as its only argument and initiates a client request to getpkd(8). It writes the server's reply unmodified to STDOUT. The following diagram shows the data flow between sshd(8), the getpk tools and a host running OpenLDAP's slapd server daemon. --------------------------------------------------- | CLIENT HOST | | | --------------- | ------ ------- -------- | | LDAP server | | | sshd | <-----> | getpk | <-----> | | | | | | ------ ------- | | | | ------- | | ------- | getpkd | <---|------|--> | slapd | | | | foo | <-----> | | | | ------- | | ------- | | | --------------- | -------- | | | --------------------------------------------------- Both getpk(8) and getpkd(8) run on the same host as the sshd server. In this example, sshd(8) executes getpk(8) with the username to authenticate as the only arg. getpk(8) initiates a request to getpkd(8) which fetches the public key for that user from the LDAP server. Results of the query are passed back to getpk(8) unmodified which in turn passes them back to sshd(8). The program `foo' is an example of an application written to talk directly to getpkd(8). The primary purpose of the server daemon, getpkd(8), is to obviate any need for layer-3 proxies (e.g., VIPs) between the client and the LDAP servers. getpkd(8) maintains state information about the availability of the LDAP servers it has been configured to query and ensures redundancy through failover/failback mechanisms when the status of servers' availability changes. getpkd(8) expects public keys to be a value assigned to the `authkey' attribute in the user's LDAP directory entry. The getpk tools include an LDAP schema that defines the sshPublicKey object class with the authkey attribute. See the section VI 'LDAP CONFIGURATION' for installing the schema on OpenLDAP's slapd server. See section VII 'THE sshPublicKey OBJECT CLASS' for additional details. III. REQUIREMENTS ----------------- 1. The getpkd(8) daemon requires libldap and related libraries from the OpenLDAP project (http://www.openldap.org). Your system most likely has a package that installs these libraries. For Debian 8.7, if TLS functionality is desired then the OpenLDAP libraries cannot be linked to the GnuTLS library. See section VIII 'OS SPECIFIC NOTES'. 2. To compile the getpkd tools, gcc and GNU make are required. Also, the header file `ldap.h' must exist. Depending on your target system, this may require installing an openldap development package. 3. getpkd(8) runs as the unprivileged user `getpk'. It is therefore necessary to create a user and group with this name on your target system before installation. For security reasons, the getpk user's shell should be set to /sbin/nologin and the home directory to /var/empty (or whatever equivalents exist on your system for unprivileged user accounts). 4. Public keys in the LDAP directory must be assigned to the `authkey' attribute. Use the included sshPublicKey.schema or write a schema definition that defines an object class with this attribute name. See the section VI 'LDAP CONFIGURATION'. 5. sshd(8) requires owner and group settings of root:root (or root:wheel) on the directory where getpk(8) is installed. See section VIII 'OS SPECIFIC NOTES' for how this requirement affects installation on Debian systems. IV. INSTALLATION & CONFIGURATION ---------------------------------- The getpk tools have been successfully compiled on OpenBSD 6.0 and 6.1, FreeBSD 11, Debian Linux 8.7 and Centos 7.3. If your system's linker is unable to find the libraries modify the `libs' variable in the Makefile to point to the location where the ldap libraries are installed. After satisfying the requirements defined in section II, change to the src/ directory and run make all and as a privileged user make install (on BSDs, use gmake); If all goes well, the result will be 2 new binaries. On Centos/BSDs these are: /usr/local/sbin/getpk /usr/local/sbin/getpkd on Debian: /opt/getpktools/getpk /opt/getpktools/getpkd (Section VIII of this document describes the rationale for the install location on Debian systems.) A config file is automatically installed as: /etc/getpkd.conf These manpages are placed under /usr/local/ getpk(8) getpkd(8) getpkd.conf(5) See the getpkd.conf(5) man page for details on configuring getpkd(8). V. SSHD CONFIGURATION ----------------------- sshd(8) must be configured to use getpk(8) to obtain public keys (see sshd_config(5)). For BSDs/RHEL systems, add these settings to sshd_config: AuthorizedKeysCommand /usr/local/sbin/getpk AuthorizedKeysCommandUser getpk On Debian, the value for AuthorizedKeysCommand should be set to /opt/getpktools/getpk. Also, confirm that sshd(8) is configured to use public key authentication (it's turned on by default) and then restart sshd(8). VI. LDAP CONFIGURATION ---------------------- getpkd(8) searches the LDAP directory for a DN with the uid attribute that matches the username being queried. This typically requires LDAP entries to use either the posixAccount or inetOrgPerson object class. Public keys are expected to be a value assigned to the authkey attribute in a user's LDAP entry. The file sshPublicKey.schema defines the sshPublicKey object class with the authkey attribute. The authkey attribute may hold multiple keys. The format of the key should conform to the authorized_keys format as described in the manpage for sshd(8). To use the sshPublicKey object class with OpenLDAP's slapd server, copy the file sshPublicKey.schema to OpenLDAP's schema directory and configure slapd to include the new object class (see slapd.conf(5)). See the next section for more information on the sshPublicKey object class. VII. THE sshPublicKey OBJECT CLASS -------------------------------- The sshPublicKey object class provided with getpk tools defines 4 attributes: authkey - a value conforming to the authorized_keys format as described in the manpage for sshd(8) fingerprint - fingerprint of the key keytype - e.g., `ecdsa-sha2-nistp256', `ecdsa-sha2-nistp384', `ecdsa-sha2-nistp521', `ssh-ed25519', `ssh-dss' or `ssh-rsa' keylen - number of bits in the key All attributes may contain multiple values. Note however that there is no inherent way for an LDAP operation to associate multiple values of one attribute to values in another attribute - e.g., if the authkey attribute contains 2 keys, and the fingerprint attribute contains 2 different values, there is no way for an LDAP search operation to map the keys to their corresponding fingerprints. The program initiating the request must determine those associations based on the results of the LDAP search operation (if possible). At this time, getpkd(8) only queries the LDAP server for the authkey attribute's values. It is the only value required for OpenSSH public key authentication. VIII. OS SPECIFIC NOTES ------------------------- OpenBSD ------- The getpk tools use pledge(2) to restrict their operations. Therefore, they will not compile on OpenBSD releases prior to 5.9. FreeBSD -------- (none) CentOS ------- (none) Debian Linux ------------- 1. sshd(8) requires that the program specified by the 'AuthorizedKeysCommand' be in a directory owned by root with a group owner id of `0' (typically 'root' or 'wheel'). Debian Linux sets group ownership of /usr/local/sbin to 'staff' (gid 50), therefore, in order to install the getpk tool into a working location on these systems, the Makefile creates the directory /opt/getpktools with the requisite permissions and installs the binaries there. The binaries may be moved to any other location in the filesystem that meets sshd(8)'s requirements for owner/group settings. 2. The OpenLDAP libraries packaged for Debian are linked with the GnuTLS library for TLS operations. The version of this library installed on Debian 8.7 (and earlier verions?) has initialization functions that break some security features and cause getpkd to fail when configured to use TLS. To use TLS with getpkd, rebuild the LDAP libraries, configuring support for TLS using some other library (libssl has been tested successfully). By default, the Makefile expects to find the LDAP libraries in /usr/local/lib
About
Get users' public keys stored in an LDAP directory for public key authentication with sshd (or other programs)
Topics
Resources
License
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published